In this thread I want to discuss some pieces of wisdom about password security. This will not be complete, just the basics that I remember at the moment.

First we have to distinguish between online and offline passwords:

Online passwords are passwords that you use to log in. This does not have to be as secure because the site sets the rules how often you can try. For example, a site could refuse your login for a while after 5 wrongly entered passwords.This means that an attacker cannot try out as many passwords as he wishes in a time as short as he wishes.

Offline passwords are passwords that you use for example to encrypt a file. This password has to be way stronger, because an attacker with the file cannot be forced to do less than a certain number of tries per second.For example if the attacker can take your encrypted file and put it on as many computer as he wishes to try out as many passwords per second as he wishes. The only way against that is to have a password so strong that an attacker could not get enough computing power to break it.

Note that an online password of a website can become an offline password, e.g. when the website is hacked and the password hashes that the operator stored are leaked.We will talk about offline passwords now because that is the most important issue for bitcoin users.

Randomness of characters: Depending on which set of characters you use, your password gets more randomness. For example if you use lower latin letters only, you have 26 characters. If you chose a password of length 8, you have 26^8 different possible passwords. To represent 26^8 possible passwords by a binary code, you need log_2(26^8) = 8 * log_2(26) = 8 * 4.7 = 38 bits. That's not much at all.

Code:

character setnumberbits per character[a-z]264.7[a-z0-9]365.2[a-zA-Z0-9]626.0all ascii946.6

You can see that the size of the character set matters a lot. But what matters even more is the length of the password. The number of possible passwords depends exponentially on the password length. For example for a whole-ascii password each additional character multiplies the number of possibilities by 94. This results in a growth of randomness by 6.6 bits for each character added.

Independence of characters: In the discussion above I assumed all the time that every character has the same probability. That is of course not always true. Attackers know that, and use it. That's why you should not use a dictionary word - in dictionary words the different characters are not independend.For example, in English words you know that after a "Q" almost always follows a "U". Because of this, the string "QU" has a much higher probability than the strings "QS", "QG" or "QL".

Conclusion: The way to a secure password is to choose from a large set of characters, and choose the characters randomly with the same probability of each characters. The longer the password, the better. If you use AES256 for example, up to 39 characters each additional character adds real randomness to the whole thing. After that, you don't get more for AES, but there exist other encryption algorithms with even longer key lengths (e.g. blowfish up to 448 bits = 68 chars of password).

What I did: When I started bitcoin, I choose a new 12-character whole-ascii password (79.2 bits of randomness). It was a pain to remember in the first hours, but after typing it a few times I got used to it. I use this password now for my encrypted seperate bitcoin user account (on Ubuntu) and for wallet backups.

If you considered that helpful, you might give me a tip: 1HuteXifXc3x8Nq9x8hHGUnFGDU7KFggXD

I personally use KeePass with a strong but memorable password to manage most of my "online" passwords as you call them.For "offline" passwords I use a simpler Passphrase in combination with a YubiKey (http://www.yubico.com/yubikey), e.g. to encrypt my laptop's HDD or my encrypted file-containers. The YubiKey provides (among other options) a 16-64 character static password. Of course, having to rely on a physical device like a YubiKey brings also some riscs. If you lose the key you're pretty much screwed, that's why I recommend either ordering a second YubiKey and program it with the same static password or writing the password down and storing it in a safe or a lockbox at a bank of your trust. But the most important thing is to never use the YubiKey's static password alone, you should always use it in combination with a leading passphrase so if anybody should actually steal your YubiKey they don't get access to anything you used it for.

This Yubico thing looks interesting, but for that price you may better get a smartcard that does public key crypto.

Really? Have a link? Thought a reader + cards would be alot more expensive (I paid € 18,- for my YubiKey).

By the way, instead of programming a static key you could also use the HMAC-SHA1 feature to derive a key blob from a given challenge (afraid it does require whipping up some code). Makes it a little harder to grab the key though..

This Yubico thing looks interesting, but for that price you may better get a smartcard that does public key crypto.

Really? Have a link? Thought a reader + cards would be alot more expensive (I paid € 18,- for my YubiKey).

By the way, instead of programming a static key you could also use the HMAC-SHA1 feature to derive a key blob from a given challenge (afraid it does require whipping up some code). Makes it a little harder to grab the key though..

That HMAC-SHA1 looks good. I don't want the PC to know my secret, but I want him to know that I know it.

Then create your own rule for converting the poem into a password. eg. take 3rd and 5th letter from each word and capitalize if word is a verb... or something more complex. Just make sure you keep the rule to yourself.

A good password stretching technique can go a long way to secure a short password. Reverting a 50 bit password hashed with SHA1 is trivial. Reverting the same password encrypted with 65.000 iterations of SHA1 (PKBDF2) for a total of 66 bits is much harder, feasible with GPU crackers. Reverting a 50 bit password stretched with a memory hard algorithm such as scrypt is probably not worthwhile for most any bitcoin wallet.

This is not a directly useful to the end-users, but I would hope the authors of wallet encryption will take notice.

That comes from the classification of characters, of course that's not exactly accurate. But there is no better way, the randomness of a string depends on the set of possible strings you assert it comes from.

If you assert that it is letters only, you have way less passwords to try, then if you assert that it is letters plus numbers.

The site seems to check only for that, which I mentioned in the OP depends on the assertion that all characters are independently chosen with equally distributed probability.

You have to read a lot and have a good memory, my favourite password system is to take either the first or last letter from a memorable sentence in something you have read, will never forget and has a tedious link to the site/file you're logging into.

You have to read a lot and have a good memory, my favourite password system is to take either the first or last letter from a memorable sentence in something you have read, will never forget and has a tedious link to the site/file you're logging into.